mirror of https://github.com/NixOS/nix synced 2025-06-25 06:31:14 +02:00

No description

Find a file

Eelco Dolstra 0da3b18520 Fixes for GHSA-g948-229j-48j3 Squashed commit of the following: commit 04fff3a637d455cbb1d75937a235950e43008db9 Author: Eelco Dolstra <edolstra@gmail.com> Date: Thu Jun 12 12:30:32 2025 +0200 Chown structured attr files safely commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5 Author: Eelco Dolstra <edolstra@gmail.com> Date: Thu Jun 12 12:14:04 2025 +0200 Replace 'bool sync' with an enum for clarity And drop writeFileAndSync(). commit 7ae0141f328d8e8e1094be24665789c05f974ba6 Author: Eelco Dolstra <edolstra@gmail.com> Date: Thu Jun 12 11:35:28 2025 +0200 Drop guessOrInventPathFromFD() No need to do hacky stuff like that when we already know the original path. commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08 Author: Eelco Dolstra <edolstra@gmail.com> Date: Thu Jun 12 11:15:58 2025 +0200 Tweak comment commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848 Author: Raito Bezarius <raito@lix.systems> Date: Thu Mar 27 12:22:26 2025 +0100 libstore: ensure that temporary directory is always 0o000 before deletion In the case the deletion fails, we should ensure that the temporary directory cannot be used for nefarious purposes. Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120 Signed-off-by: Raito Bezarius <raito@lix.systems> commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 12:42:55 2025 +0100 libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds When calling `_deletePath` with a parent file descriptor, `openat` is made effective by using relative paths to the directory file descriptor. To avoid the problem, the signature is changed to resist misuse with an assert in the prologue of the function. Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96 Signed-off-by: Raito Bezarius <raito@lix.systems> commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 01:07:47 2025 +0100 libstore: ensure that `passAsFile` is created in the original temp dir This ensures that `passAsFile` data is created inside the expected temporary build directory by `openat()` from the parent directory file descriptor. This avoids a TOCTOU which is part of the attack chain of CVE-????. Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a Signed-off-by: Raito Bezarius <raito@lix.systems> commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018 Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 01:06:03 2025 +0100 libutil: writeFile variant for file descriptors `writeFile` lose its `sync` boolean flag to make things simpler. A new `writeFileAndSync` function is created and all call sites are converted to it. Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192 Signed-off-by: Raito Bezarius <raito@lix.systems> commit 732bd9b98cabf4aaf95a01fd318923de303f9996 Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 01:05:34 2025 +0100 libstore: chown to builder variant for file descriptors We use it immediately for the build temporary directory. Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947 Signed-off-by: Raito Bezarius <raito@lix.systems> commit 962c65f8dcd5570dd92c72370a862c7b38942e0d Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 01:04:59 2025 +0100 libstore: open build directory as a dirfd as well We now keep around a proper AutoCloseFD around the temporary directory which we plan to use for openat operations and avoiding the build directory being swapped out while we are doing something else. Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a Signed-off-by: Raito Bezarius <raito@lix.systems> commit c9b42462b75b5a37ee6564c2b53cff186c8323da Author: Raito Bezarius <raito@lix.systems> Date: Wed Mar 26 01:04:12 2025 +0100 libutil: guess or invent a path from file descriptors This is useful for certain error recovery paths (no pun intended) that does not thread through the original path name. Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e Signed-off-by: Raito Bezarius <raito@lix.systems>		2025-06-19 16:41:46 +02:00
.github	.github/ci: Use fixed names	2024-12-31 17:35:07 +01:00
contrib	function-trace: always show the trace	2019-09-18 23:23:21 +02:00
doc/manual	Set FD_CLOEXEC on sockets created by curl	2025-02-19 19:47:45 +00:00
maintainers	maintainers/release-notes: Let it fail	2025-04-07 08:52:33 +00:00
misc	Install init system configs only when relevant	2024-12-03 16:51:01 +01:00
nix-meson-build-support	packaging: use optimization level 3 and LTO by default	2025-01-01 21:59:37 -08:00
packaging	packaging: Various improvements	2025-04-01 17:49:43 +00:00
scripts	nix-daemon: source nix-profile-daemon.sh only once	2025-04-01 06:47:30 +00:00
src	Fixes for GHSA-g948-229j-48j3	2025-06-19 16:41:46 +02:00
tests	Actually ignore system/user registries during locking	2025-04-09 16:33:37 +00:00
.clang-format	Factor out `lookupExecutable` and other PATH improvments	2024-08-07 18:12:58 -04:00
.clang-tidy	Add .clang-tidy	2024-02-01 01:01:39 +01:00
.dir-locals.el	.dir-locals.el: Set c-block-comment-prefix	2020-07-10 11:21:06 +02:00
.editorconfig	No global eval settings in `libnixexpr`	2024-06-24 12:15:16 -04:00
.gitignore	Prune unneeded .gitignore entries	2024-12-11 16:20:29 +01:00
.mergify.yml	mergify: Add automatic backport label	2025-01-20 17:11:06 +01:00
.shellcheckrc	housekeeping: shellcheck for tests/functional/ca/build-cache.sh	2024-06-12 17:41:16 -04:00
.version	Bump version	2025-03-05 19:34:04 +01:00
CITATION.cff	chore: PhD thesis as reference in `CITATION.cff`	2024-05-18 20:05:22 +02:00
CONTRIBUTING.md	Rename `doc/manual{src -> source}`	2024-10-14 11:21:24 -04:00
COPYING	* Change this to LGPL to keep the government happy.	2006-04-25 16:41:06 +00:00
default.nix	Format .nix files	2025-01-24 20:40:21 +01:00
docker.nix	Format .nix files	2025-01-24 20:40:21 +01:00
flake.lock	use libgit2 from nixpkgs	2024-12-16 16:50:58 +01:00
flake.nix	packaging: Various improvements	2025-04-01 17:49:43 +00:00
HACKING.md	Rename `doc/manual{src -> source}`	2024-10-14 11:21:24 -04:00
meson.build	Add nix-flake-c, nix_flake_init_global, nix_flake_settings_new	2024-11-24 23:57:24 +01:00
meson.options	Don't build the API docs in the devshell	2024-11-12 20:18:33 +01:00
precompiled-headers.h	Build a minimized Nix with MinGW	2024-04-17 12:26:10 -04:00
README.md	README: update CI badge	2024-08-22 23:16:14 +08:00
shell.nix	Remove url literals	2022-01-24 13:28:21 +01:00

README.md

Nix

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation and first steps

Visit nix.dev for installation instructions and beginner tutorials.

Full reference documentation can be found in the Nix manual.

Building and developing

Follow instructions in the Nix reference manual to set up a development environment and build Nix from source.

Contributing

Check the contributing guide if you want to get involved with developing Nix.

Additional resources

Nix was created by Eelco Dolstra and developed as the subject of his PhD thesis The Purely Functional Software Deployment Model, published 2006. Today, a world-wide developer community contributes to Nix and the ecosystem that has grown around it.

The Nix, Nixpkgs, NixOS Community on nixos.org
Official documentation on nix.dev
Nixpkgs is the largest, most up-to-date free software repository in the world
NixOS is a Linux distribution that can be configured fully declaratively
Discourse
Matrix

License

Nix is released under the LGPL v2.1.